3 MUST-HAVE AREAS TO CONSIDER WHEN SETTING YOUR ORGANIZATION UP ON ATLASSIAN STACK

February 23, 2021
Table of Contents

    Atlassian tools like Jira and Confluence are well known for their flexibility and customization. When most software developers prefer this flexibility over closed systems, the regulated industries may often fear that this flexibility could affect their compliance. There are aspects that you will have to consider when setting your organization up on Atlassian stack when you are in a regulated domain.

    We have broken it down to 3 areas that you must consider when setting your organization up on Atlassian stack when you are working in a regulated domain.


    Are we doing things in the right way?

    The first thing to consider is how to set up your organization’s processes in Jira and Confluence. Every organization works differently but regulations require each company to have well defined processes in the form of SOPs (Standard Operating Procedures). It’s crucial that you get most out of your tools by configuring them in a way that supports your existing processes.

    Each project in Jira has several areas of configuration that support you in setting up Jira to correspond to the processes in your organization. These include Jira issue workflows, notification schemes, and permission schemes. They will help you to force a specific process application by customizing task lifecycle, automatic notifications sent out by app and data security aspects.

    To read more about setting up notifications in Jira please see our recent post on it. Confluence has slightly fewer customization areas but in case you want to automate your document approval process, you should look into the specific app customization options, e.g. in the additional apps like “Comala Document Management”. More on this in one of our recent posts.


    Who can see what?

    The second aspect of configuration consideration in the regulated domains is securing your data so only the authorized users can see them. It is expected that you have procedures that define, at a high level, the different access levels to each tool.

    Jira and Confluence both provide great and easy to use tools to have your data security under control.

    To configure the security of Atlassian products we need to start from the high-level principles:

    • First level of access to your data is done on application access level. This can be controlled by your admins who can determine who has the right to log in to Jira, Confluence or other Atlassian apps. It does not provide any access to data yet. It’s about keeping the number of your user licenses under control.

    • After you have been given the right to a specific application like Jira or Confluence, your right to access a specific Jira Project or Confluence site is checked next. There are several ways to provide that access – via project role, user-group, special role, and so on. Make sure all your projects or sites have the same access management rules applied. Ask your Jira/Confluence admin to show this access process/pattern and do not allow exceptions. It’s all about security.

    • Roles in an organization can easily be mirrored also in your tools. In other words, do not let your tools admins tell you how they should manage access. Your organization should have a clear vision of who can view, edit or create what kind of content. Remember that admins often provide more access than is needed to decrease their own work load. It’s only human. Remember to use the “principle of least privilege”.

    To read more about securing your Confluence, please look at our blog posts on roles in Confluence, page level restrictions in Confluence, securing documents in Confluence.


    Where is my data?

    Last but not least, you should consider data residency. Data residency is about the location in which your data is being stored. It is an important aspect when choosing a cloud operator for the regulated domains. GDPR (EU) requires processing and storing of personal data to be within the EU.

    Most Atlassian Cloud plans (see more about Atlassian Cloud plans) do not provide full control of your data residency yet, but it still provides a way to see where your data is stored. In case you need to have control over it, you will have to go with Cloud Enterprise plan. Other than that, you are free to choose between the plans freely and can see the location of your data.


    In case you have any questions about how to best set up your regulated company on Atlassian stack, do not hesitate to contact us. We’d be happy to help you.

    Table of Contents

    Ready to get started?

    Contact us to book a demo and learn how SoftComply can cover all your needs

    13485 implementation guide
    Picture of Marion Lepmets

    Marion Lepmets

    CEO
    December 18, 2024

    The Internet is full of articles about the implementation of ISO 13485. They talk about “Getting management support”, “Obtain The Documents And Study The Requirements”, “Develop An Implementation Plan”, “Evolution of a Quality Management System”, and other seemingly complex topics. Although comprehensive, most of these articles are self-serving, aimed at...

    SaMD Guide to Compliance
    Picture of Matteo Gubellini

    Matteo Gubellini

    Regulatory Affairs Manager
    December 3, 2024

    Introduction The first contact with the Medical Device regulatory world is a shock for most startups. These companies usually have excellent technical and clinical ideas on how to improve the patient’s life, but little knowledge of the legal burdens required to bring the medical device to the market. The technical...

    e-signature
    Picture of Matteo Gubellini

    Matteo Gubellini

    Regulatory Affairs Manager
    November 26, 2024

    What is an “Electronic Signature”? Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature. (21 CFR 11.3) In other words, to Electronically Sign a document means to...